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Abstract — Functional Reactive Programming (FRP) is an ap- 
proach to streaming data with a pure functional semantics as 
time-indexed values. In previous work, we showed that Linear- 
time Temporal Logic (LTL) can be used as a type system 
for discrete-time FRP, and that functional reactive primitives 
perform two roles: as combinators for building streams of data, 
and as proof rules for constructive LTL. In this paper, we add 
a third role, by showing that FRP combinators can be used to 
define streams of types, and that these functional reactive types 
can be viewed both as a constructive temporal logic, and as 
the types for functional reactive programs. As an application of 
functional reactive types, we show that past-time LTL (pLTL) 
can be extended with FRP to get a logic pLTL+FRP. This 
logic is expressed as streams of boolean expressions, and so 
bounded satisfiability of pLTL can be translated to Satisfiability 
Modulo Theory (SMT). Thus, pLTL+FRP can be used as a 
constraint language for problems which mix properties of data 
with temporal properties. 

I. Introduction 

The slogan "propositions are types, proofs are programs" 
can be indexed by time, to give a new slogan "temporal 
propositions are functional reactive types, proofs are functional 
reactive programs." This is the core idea behind the author's 
prior work [11], developed simultaneously by Jeltsch [14], 
showing that a constructive variant of linear-time temporal 
logic (LTL) [21] can be regarded as a type system, whose proof 
objects are expressed using discrete-time Functional Reactive 
Programming (FRP) [7]. 

In this paper, we further explore the connection between 
FRP and temporal logic, by showing that not only can FRP 
programs express the proofs of temporal propositions, they 
can also express the propositions themselves. We do this by 
defining FRP in a dependently typed functional language, in 
which there is no distinction between the language of types 
and the language of values. The type of streams is [As] where 
As is a stream of types; the type [A 0 :: ^i :: A 2 :: ■ ■ ■] is 
inhabited by stream (v 0 :: v\ :: v 2 ■'■ • • •) where each Vi has type 
Ai. For example, the stream (1 :: true :: 2 :: false :: • • •) has type 
[N::B::N ::B ::■■■]. 

Constructively, types can be viewed as propositions: a proof 
of the proposition A is given by a value v of type A. A stream 
of types (A 0 :: A\ :: A 2 :: • • •) can thus be seen as a temporal 
property, which is true at time k whenever A k is inhabited. A 
stream of values (w 0 .:v\ ::v 2 ■■•••) of type [A 0 :: Ai :: A 2 :: • • •] 
provides a witness for each Ai. Thus, inhabitance of the 
type [As] can be viewed as a proof that ,4s is true at all 
times, that is that As is a tautology. 

In [11], we showed that the combinators of an FRP library 
can perform double duty: as well as their usual use as the 
building blocks of reactive programs, they can be seen as proof 



combinators for proving tautologies in a constructive variant of 
LTL. In this paper, we add another use for FRP combinators: 
they allow the construction of streams of types, which in turn 
can be used to give the types of the combinators themselves. 
Thus, functional reactive programs can be used to construct 
functional reactive types. 

For example, consider the "head" and "tail" functions: 

\(x :: xs) = x • (x :: xs) = xs 

Now, consider the type of the "head" function: it takes a stream 
(v ::vs), whose type is [A:: As], and returns a value v of type 
A. Now, A is the head of (A:: As), so its type is: 

! : [As] 

Similarly, the type of "tail" is: 

. : [As] -+ [.As] 

This simple example shows the triple play of functional 
reactive programs with functional reactive types: 

1) As a function on streams of values, • is the familiar 
"tail" function. 

2) As a function on streams of types, • is the "next time" 
modality of LTL: »As is inhabited at time k when As 
is inhabited at time k + 1. 

3) As a proof combinator, • takes a proof of [As] and 
returns a proof of [»As], that is if As is tautology, then 
•As is a tautology. 

In particular, we can define a recursive function indn which 
performs iteration over streams: 

mdn(f::fs)(x)^(x::\ndn(fs)(f(x))) 

As a function on streams, this is an "accumulating fold": 

indn(/ 0 ::/i:: /a ::■■■)(*) 

= {x::f Q (x)::f 1 (f Q {x))::h(fi{fo(x)))::--) 

which can be used to define functions such as sum, which 
provides a running total of a stream of numbers: 

sum(i 0 :: X\ :: x 2 :: ■ ■ •) 

= (xq :: (x 1 + Xq) :: (x 2 + x 1 + Xq) ::•••) 

As a function on streams of types, it can be used to define 
modalities such as "always in the past" (□), where DAs is 
inhabited at time k whenever As is inhabited at every time 
j < k, that is it gives a running product of a stream of types: 

□ (A 0 ::Ai :: A 2 ::■■■) 

= (A 0 :: (Ai x A 0 ) :: (A 2 x A 1 x A 0 ) ::•••) 



As a proof combinator, it is an induction principle for LTL: 

indn : [As => .As] -> (!As) -> [As] 

where =>■ is the pointwise lifting of the function space to 
streams of types: 

(A :: ,4s) => (B :: Bs) = (A -> B) :: (As => Bs) 

That is, indn says that if truth of As at time k implies truth 
of As at time k + 1, and .As is true at time 0, then As is true 
at any time k, which is the usual induction scheme over N. 
This use of induction over N to give an LTL type for recursive 
FRP programs is similar to Krishnaswami and Benton's [17] 
use of contraction maps in ultrametric spaces. 

In the remainder of this paper, we will make the notion 
of functional reactive type more precise. Section II gives the 
mathematical preliminaries for the paper. Section III defines 
the stream combinators, and their types. Section IV shows how 
past-time LTL (pLTL) can be coded as streams of types. 

As an example of pLTL with FRP, in Section V, we show 
how to define streams of expressions in a theory of booleans 
and integers, such that satisfiability of a boolean expression 
corresponds to satisfiability of a pLTL formula. This allows 
expression of pLTL formulae which makes use of stream 
expressions constructed using FRP combinators, for example: 

□ (sum(xs) + ys = 0) 

The expression language used is suitable for passing on to 
an SMT solver (see, for example de Moura and Bj0rner's 
survey [5]), and so gives a simple algorithm for checking 
fc-bounded satisfiability of pLTL+FRP: construct a stream of 
expressions (E a :: E\ :: E 2 :: • • •), and pass expression E k to 
an SMT solver. This algorithm has been implemented, using 
Z3 [4] as the solver, with promising execution times (sub- 
second on the examples tested). 

Sections II-V of this paper are written in Literate Agda [1], 
and all formal definitions and results are typechecked Agda 
code [12]. 



II. Mathematical preliminaries 

This paper uses Agda [1] as its expression of constructive 
mathematics and dependent type theory. We will elide some of 
Agda's technical machinery, such as extensionality, inferrable 
arguments, universes and universe polymorphism. In particular 
we will work as if the type of types were itself a type (in the 
formal development we use universe polymorphism instead of 
making this unsound assumption): 



We write x for product, l±l for coproduct, _L for empty, and 
T for singleton: 

fst : (A x B) -> A snd : (A x B) -> B 
both : (A -> B) -> (A -> C) -> A -> (B x C) 
map x : (A -> B) -> (C -> D) -> ((A x C) -> (B x D)) 

inl : A -> (A W B) inr : B -> (A W B) 
case : (A -> C) ->■ (5 -> C) -> (A W B) -> C 
map* : (A -> B) -> (C -> I>) -> ((A W C) -> (5 W £))) 
T : * * : T 

_L : ★ contradiction : _L — >• A 

We write V for universal and 3 for existential quantification, 
(where B:A->*): 

(Vz -> B(ar)) : * (3ar -> B(a;)) : ★ 

Universal quantification is a function space, and existential 
quantification is a product, inhabited by (where L : A, M : 

B(L) and JV(ar) : B(x)): 

(Xx -> N(x)) : (Vx -> (L, M) : (3a; -> B(a;)) 

We write (A — > d 5) as a synonym for universal quantifica- 
tion: 

(_^ d _):(V(A:*)^(A^*)^*) 
(A ^ d B) = (V.t ^ 

The type (,t = ?/) is inhabited whenever x and y are proposit- 
ionally equivalent; its only constructor is * of type (x = x): 

(_ = _): A -> A -> * * : (a; = x) 

We use = to define < on the natural numbers: 

(_<_): N N -> * (m < n) = (3£ £ + m = n) 

P(A) is the constructive powerset: 

P:*^* P(A) = (A^*) 

We define the usual constructions on sets, in particular ieS 
is true whenever S(x) is inhabited, and set comprehension is 
just an abbreviation for A-abstraction: 

(x€S) = S(x) {x\P(x)} = (\x^P(x)) 

All formal definitions and results in this paper are written in 
Literate Agda, and typecheck. 

III. Functional Reactive Programs and Types 
In this section, we formalize our notion of streams, and 
define FRP combinators which can be used to define streams 
of values, streams of types, and tautologies in constructive 
temporal logic. 

We begin with the type of homogeneous streams, defined in 
Figure 1. The type A" is the type of homogeneous streams, 
all of whose elements are of type A. In keeping with the 
FRP tradition, streams are defined as functions Time — >• A, 
and since we are interested in discrete-time FRP, A" is just a 
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(-") : * ^ * 

(_) : A -+ A" 
(x)(n) = x 

Fig. 1. Homogeneous FRP 



[_]:*<^* 
[As] = (Vn A S (n)) 

! : [As] -+ As(0) 
\x S = xs(0) 

• : [As] -> (Vn^ As(n+1)) 
(. a »)(n) = a»(n + l) 

(_ :: _) : As(0) -> (Vn -> As(n + 1)) -> [As] 
(a: :: xs)(0) = .t 
( i r:: a »)(n+l) = a »(n) 

(_$_): (Vn — > V.t -> Ss(n)(a;)) -> 

(Vzs -> Vn ->• Bs(n)(xs(n))) 
(fs$xs)(n)=fs(n)(xs(n)) 

indn : (Vn ->• As(n) -> As(n + 1)) ->• 
As(0) -> [As] 

indn(/ 5 )( 2 ;)(0) = .T 
indn(/ S )(x)(n+l)=/ S (n)(indn(/ S )(x)(n)) 

Fig. 2. Heterogeneous FRP 

synonym for N — > A. Of particular instance is the case where 
A is *, since is the type of streams of types, which are the 
functional reactive types we are interested in. 

We define the constant stream (fc), equal to {k :: k :: k :: ■ ■ •), 
which has type A w whenever fc has type A. For example (1) 
has type N", (_ + _) has type (N ->• N -)• N)", (N) has type 
* w , and (_ x _) has type (★—>★—> *) w . 

We now turn our attention to heterogeneous streams, in 
Figure 2. The type [As] (where As is a stream of types, that is 
its type is *") is inhabited by heterogeneous streams xs where 
each xs(i) has type As(i). In particular, note that: 

A- EE [(A)] 

That is, homogeneous streams are an instance of heteroge- 
neous streams. In particular, the constant stream function can 
be given the type: 

<_>:A^[<A>] 

This typing is well-founded because the type of (_) is defined 
to be A — > A u (which is well-founded) which is definitionally 
equivalent to A — >• [(A)]. We define (_) using homogeneous 
streams, as we could not define (_) to have type A -> [(A)] 
directly, since this would use the definition of (_) in its own 
type, which is not well-founded. 



(AshBs) = (_x_)$As$Bs 

(_ V_) :*"->*•"-► V 
(AsVBs) = (_ttl_) $ As$5s 

(As L Bs)" = (_ -> _) $ As $ Bs 

(As 1= Bs^ = (Bs =► As) 

(As -L Bs)~ = (As <= Bs) A (As Bs) 

(_^ d _) : (V(As : O ^ [As ^ <*>] ^ O 
(As ^> d Bs) = (_ _) $ As $ Bs 

Fig. 3. Logical connectives as functional reactive types 

We define the "head" function (!), "tail" function (•) and 
"cons" function (_::_) which satisfy: 

\{x::xa) = x 
.(x::xs) = xs 
(\xs::.xs) = xs 
(x :: (x)) ee (x) 
The derived types for these functions are: 
! : [As] -+ (!As) 
. : [As] -+ [.As] 
(_::_): A^ [As] -> [A :: As] 
In particular, for homogeneous streams, these functions have 
their expected type: 

l:A u ^A 
• : A u -> A" 
(_::_): A -> A" -> A" 
The "apply" function (_$_) applies a stream of functions 
pointwise to a stream of arguments to get a stream of results: 

(f,.fs)$(x,.xs)^(}(x)::(fs%xs)) 

The type for "apply" is not particularly readable, but we can 
provide a derived type which is much more familiar. First, we 
take a detour into deriving the pointwise logical connectives 
A, => and so on, in Figure 3. These are all defined pointwise, 
for example: 

[As => Bs] ee (Vn -> As(n) -> Bs(n)) 
In particular, the dependent function space on streams has: 

[As Bs] ee (Vn -> Vx -> Bs(n)(z)) 
Thus, the "apply" function can be given the derived type: 

(_$_): [As Bs] -> (Vis -> [Bs $ xs]) 

In particular, the independent function space is an instance of 
the dependent function space: 

(As => Bs) ee (As ^ d (An -> Ax -> Bs(n))) 
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(J : A -+ [(A)] 
! : [As] -> (\As) 

• : [As] -> [»As] 
(_::_): A ^ [As] ^ [A:: As] 

(_$_): [As ^ d Bs] -> (Vis -> [Bs $ as]) 
(_$_): [As ^Bs] -> [As] -> [Bs] 
indn : [As => .As] -> (!As) -> [As] 

Fig. 4. Functional reactive types for FRP 

and so "apply" has a specialized type for independent func- 
tions, which is the familiar "modus ponens" elimination rule 
for implication: 

(_$_): [As => Bs] -> [As] -> [Bs] 

Since: 

((A) <B» = <A i?) 
we get for homogeneous streams: 

(_$_): B) w -> A" -> B u 

which, together with (_), gives the structure of an applicative 
functor [18] to homogeneous streams. 

In Figure 4, we restate the types for FRP, using functional 
reactive types. 

The last combinator we consider is the induction rule for 
natural numbers. Its derived type is an induction rule for LTL: 

indn : [As => .As] -> (!As) [As] 

In particular, for homogeneous streams, indn is an indexed 
iterator: 

indn : (N -> A -> A) -> A -> A" 
from which we can define the usual stream iterator: 
iterate : (A -> A) ->• A -> A w 
iterate(/) = indn(/) 

For example, we can define a clock which returns the current 
time as: 

now : N" 
now = iterate(_+ 1)(0) 
now(n) = n 

Induction can be used to define functions such as a "running 
total" function, defined in Figure 5, satisfying: 

!(sum(xs)) = \xs 

• (sum(xs)) = mxs plussum(a;s) 

For example: 

sum(3::2::l::(0)) = (3::5::6::(6)) 

The same technique is used in Figure 6 to define the temporal 
connectives from past-time LTL (pLTL) as functional reactive 
types. For example, the □ modality acts as an iterated product: 

\(DAs) ee !As 
• (□As) = (•As) A (nAs) 



scan : [As Bs •Bs] ->• 
(IBs) -+ [As] -+ [Bs] 
scan(fs)(y)(xs) = \ndn(fs$xs)(y) 

scan! : [.As As .As] -> 
[As] -+ [As] 
scan 1 (/,)( a ;s)=scan(/s)(! a ;s)(. a ;s) 

scan 2 : [«Bs »As Bs »Bs] -> 

[As] -+ [Bs] -+ [Bs] 
scan 2 (/s)(xs)( 2/ s) = scan(/s $ . 2/ s)(!ys)(. a :s) 
(_plus_) :N W ->N W -^N w 
xs plus ys = (_ + _)$ xs $ ys 
sum : N w -> N w 
sum = scani(_ + _) 

Fig. 5. Scan functions 

O : * w -> 
OAs = T :: As 

□ :★<"->■ * w 
□ = scani(_ x _) 

0 : *« -> 
0 = scani (_l+l_) 
(_ S _) 

(_S_) = scan 2 (_W_ x _) 

(_>_) = scan 2 (_ x _ -> _) 
Fig. 6. Temporal connectives as functional reactive types 

so, for instance: 

□ As(2) = As(2) x As(l) x As(0) 

and the S modality acts as an iterated nested product and 
coproduct: 

!(AsSBs) = IBs 

• (As S Bs) ee (.Bs) V ((.As) A (As S Bs)) 
so, for instance: 

(As S Bs)(2) ee Bs(2) W As(2) x (Bs(l) W As(l) x Bs(0)) 

We have now defined the logical connectives of pLTL as 
functional reactive types, and now look at how proof rules 
for pLTL can be encoded as functional reactive programs. In 
particular, we will show that FRP forms a category whose 
objects are functional reactive types, and whose morphisms 
are programs of type [As => Bs], where A is product, V is 
coproduct, □ is a comonad, and 0 is a monad (and so form a 
model of constructive S4 modal logic [2]). The novelty here 
(compared to the author's previous work [11]) is that all the 
proof rules are defined just using the combinators in Figures 1 
and 2, thus showing that it is sufficient to present streams as 
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(consti (fc) : [(F) $ As]) where 

(VA -> fc : F(A)) 
consti (fc) = ((AA -> fc))$ As 
(const 2 (fc) : [(F) $ As $ Bs]) where 

(VAF ->■ fc : F(A)(B)) 
const 2 (fc) = ((AA, 5 -> fc)) $ As $ Bs 
(const 3 (fc) : [(F) $ As $ Bs $ Cs]) where 

(VABC^ fc : F(A)(B)(C)) 
const 3 (fc) = ((AA, 5, C -> A:)) $ As $ Fs $ Cs 
(const 4 (fc) : [(F) $ As $ Fs $ Cs $ Bs]) where 

(VABCF -> fc : F(A)(F)(C)(D)) 
const 4 (fc) = ((AA, F, C, F ^ fc)) $As$Bs$Cs$Ds 

Fig. 7. Polymorphic constants 

ids : [As => As] 
ids = consti(id) 

(_•_): [Bs => Cs] -> [As => Bs] -> [As =► Cs] 
(/s- 5 s) =const 3 (_o_)$/s$ 5 s 
(/s-ids)=/s 
(ids-/s)=/s 
((/s • c/s) • /is) = (fs ■ (gs ■ hs)) 

Fig. 8. Categorical structure of streams 

an applicative functor with induction to deduce the categorical 
structure. 

Before we can do this, however, we need to take a look at 
polymorphic constants such as the identity function. We are 
interested in finding an identity on streams with type: 

ids : [As => As] 

The obvious definition is (id), but we can only use this 
definition on homogeneous streams: 

(id) : [(A) => (A)] 

It cannot be given the more general type [As As] as the 
type id is being used at is A(n) -> A(n), which depends 
on the time n. The constant stream (fc) can only be used 
to construct homogeneous streams whose value and type do 
not depend on the time n. The same problem impacts all of 
the functions over heterogeneous streams such as function 
composition, projections and injections. We need a way to 
allow polymorphic constants whose type depends on the time 
n. We do this in Figure 7 where we define a polymorphic 
constant consti (fc) such that: 

consti (&)(?•/.) = k 

The difference between consti and (_) is its type, since 
consti(fc) allows k to be polymorphic and vary its type with 
time, whereas (k) requires k to be constant in its type. 

(consti (A) : [(F) $ As]) where (VA -> k : F(A)) 



fsts : [(As A Bs) => As] 
fsts = const 2 (fst) 
snds : [(As A Bs) => Bs] 
snds = const 2 (snd) 
boths : [(As Bs) => (As => Cs) 
As (Bs A Cs)] 
boths = const 3 (both) 
map A : [(As Ss) ^ (Cs ^ Fs) ^ 
((As A Cs) ^ (BsAFs))] 
map A = const 4 (map x ) 

/s = (fsts - (boths $ /s $gs)) 
gs = (snds • (boths $ fs $ gs)) 
/is = (boths $ (fsts • hs) $ (snds • hs)) 
map A $fs$gs = boths $ (/s • fsts) $ (gs ■ snds) 

Fig. 9. Product structure of streams 

inls : [As (As V Fs)] 
inls = const 2 (inl) 

inrs : [Fs => (As V Fs)] 
inrs = const 2 (inr) 

cases : [(As => Cs) => (Bs => Cs) => 
(As V Fs) =^> Cs] 
cases = const 3 (case) 
map v : [(As Bs) (Cs => Fs) ^ 
((isVCs) => (&Vfls))] 
map v = const4(map tt) ) 

/s = ((cases $fs$gs) ■ inls) 
gs = ((cases $ fs $ gs) ■ inrs) 
/is = (cases $ (hs ■ inls) $ (hs ■ inrs)) 
map v %fs$gs = cases $ (inls • fs) $ (inrs • gs) 

Fig. 10. Coproduct structure of streams 

We are allowing k to have polymorphic type k : F(A) for any 
F : * — > *, for example if we take fc to be id and F(A) to be 
A — >• A then we have: 

consti (id) : [As As] 

The definition of consti is: 

consti (fc) = ((AA fe)) $ As 

This typechecks because, although consti (k) (n) = k has 
type F(A„) which depends on n, the function (AA — >• fc) 
has type VA — > F(A) which does not depend on n. This 
use of dependent types allows us to define constants that 
are parametric in time. In Figure 7 we also define const 2 , 
const 3 and so on. For example, taking F(A)(B)(C) to be 
(B -> C) ->• (A -> F) -> (A ->• C), composition of stream 
functions can be defined: 

(_•_): [Fs => Cs] -> [As => Fs] -> [As => Cs] 
(/s- 5 s) = const 3 (_o_)$/s$ 5 s 
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map D : [As Bs] — >• [n^4s =4 
map n (/s) = scan(map A )(!/s)(»/s) 
extract : [Dj4s As] 
extract = id :: fsts 



nBs] 



duplicate : [nAs => D(nAs)] 
duplicate = indn(const 3 (Ag — > 

both(id)(. 9 osnd)))(id) 
(extract • duplicate) = ids 
(map n (extract) • duplicate) = ids 

(duplicate • duplicate) = (map n (duplicate) • duplicate) 



Fig. 1 



pLTL :★-»■★ 

true : pLTL(E) 
false : pLTL(E) 
_ and _ : pLTL(E) -> pLTL(E) -> pLTL(E) 



_or_ : pLTL(E) - 
box : pLTL(E) - 
dia : pLTL(E) - 
_ since _: pLTL(E) - 
_ constrain _ : pLTL(E) - 



pLTL(E) - 
pLTL(E) 
pLTL(E) 
pLTL(E) - 
pLTL(E) - 



atom : P(E) -> pLTL(E) 



pLTL(E) 



pLTL(E) 
pLTL(E) 



map* : [As => Bs] -> [<Ma => OBs] 
map°(/s) = scan(map v )(!/s)(«/s) 
return : [As => OAs] 
return = id :: inls 

join : [O(OAs) => <M«] 
join = indn(const 3 (A# — > 

case(id)(inro ff )))(id) 
(join • return) = ids 
(join • map^ (return)) = ids 

(join - join) = (join • map* (join)) 

Fig. 12. Monadic structure of streams 



(fs ■ gs)(n) ^ fs(n) o gs(n 



Proposition 1: Heterogeneous streams form a category 
whose objects are elements of * w , and whose morphisms are 
elements of [As Bs]. This category has products given by 
As A Bs, coproducts given by As V Bs, a comonad given by 
OAs, and a monad given by ()As. 

Proof: The constructions are given in Figures 8-12. ■ 

IV. pLTL as functional reactive types 
In the previous section, we claimed that the logical con- 
nectives in Figure 3 and the temporal modalities introduced 
in Figure 6 corresponded to past-time LTL (pLTL). In this 
section, we shall make this correspondence precise. 

The variant on pLTL we will use is given in Figure 13. 
We define a logic pLTL(E) which is pLTL over words drawn 
from an alphabet E. The only difference between this version 
of pLTL and the usual presentation is the modality ((^constrain 
tp), which we are using as the dual of (cj> since tp): classically 
^(</>constrain?/>) is (</>since->?/>). We are using constrain rather 
than the more usual release modality (where (<j> release tp) is 
-i(-x^since-iVO) because, as we shall see below, constrain cor- 
responds constructively to a function space, whereas it is not 
obvious what the constructive interpretation of release should 
be. The constrain modality was introduced (for future-time 



LTL) by McMillan [19] and further investigated by Namjoshi 
and Trefler [20], and was used in giving a characterization of 
rely-guarantee reasoning for cyclic systems in LTL. 

The semantics of pLTL is given in Figure 14. Here, 
is the set of words drawn from E w which satisfy property 4> at 
position n. We have presented pLTL in negation normal form, 
but we can define negation as: 



not(true) 
not(false) = 
not(</>and ip) = 
not(^or^) = 
not(box(</>)) = 
not(dia(0)) = 
not! o since ijj) = 
not(</> constrain ip) = 
not(atom(S')) = 



: pLTL(E) -> pLTL(E) 
= false 
= true 

= not(0) or not(V>) 
= not(0) and not(V>) 
= dia(not(</>)) 
box(not(</>)) 
4> constrain not(V') 
(f> since not(?/>) 
atom(5 C ) 



We can then show that this has the expected semantics (where 
S C is the complement of S, defined to be E" \ S): 

[not(0)](n) C M(n)C 
M(n) C C* [not(^)](n) 

Here, S C* T means classical set inclusion, that is we use 
excluded middle in showing S C T. This is the only use of 
excluded middle in this paper. 

We now show that the semantics of pLTL can be encoded 
as functional reactive types. This is not completely trivial as, 
for example, the semantics of box is defined using universal 
quantification rather than iterated product. To bridge this 
gap, we introduce alternative characterizations of the pLTL 
modalities as functional reactive types, which is closer to the 
semantics of pLTL. 

We show that this alternative characterization of pLTL is 
isomorphic to the original, where isomorphism As ~ Bs is 
given by a pair of stream functions: 



fs : [As => 
(fs ■ gs) = 



gs : [Bs = 

(gs-fs)-= 



As] 
ids 
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[J : pLTL(S) -+ N P(E«) 
[true](n) = S" 
[false] (n) = 0 
[0andV](n) = M(n)nM(n) 
[0orV](n) = M(n)uM(n) 

[box(</>)](n) ={u)|(Vm^(m<n)^(we MM)) } 
[dia(^)](n) = { w | (3m -+ (m < n) x («, e [0](m))) } 
[</> since V](n) = { w \ (3£ -> (£ < n) x (Vm -> < m) -»■ (m < n) ->■ (tu e M(m))) x (w € WW)) } 
[0 constrain V] (n) = { w | (W -> (£ < n) -> (Vm -> < m) -> (m < n) -> (10 € [0] (m))) -)• (iu G [V>] (*)))} 
[atom(S)](n) = {«;| (f(n)eS)} 



Fig. 14. Semantics of pLTL 



As(£, n] = (Vm -> (£ < m) -> (m < n) - 
□':*"->■ * u 
(D'As)(n) = (Vm -> (m < n) -> As(m)) 

0' : *" -> * w 
(0M«)(n) = (3m -+ (m < n) x As(m)) 



> ,4s(m)) 



(AsS' Bs)(n) = (3£^(£<r, 



<(As(£,n 



(As >' Bs)(n) = (W -> < n) ->• .4s(£,n] -> fls(*)) 

vis S Bs w ,4s S' Bs 
As [> Bs w ,4s [•>' Bs 

Fig. 15. Alternative characterization of pLTL as functional reactive tyj 



The semantics of since and constrain are defined in terms of 
intervals, for example (<j> since ijj) is true at time n if there 
is some £ < n such that ip is true at time £ and <f> is true 
in the half-open interval (£,n\. For this reason, we introduce 
the interval type As(£,n] inhabited by streams xs such that 
xs(m) has type .4s(m) for any £ < m < n. We use As{£, ■».] 
in defining the alternate versions of As S Bs and As G> Bs, 
for example As S Bs is inhabited at time n whenever there 
is some £ < n such that As(£,n] and Bs(£) are inhabited. 
This is formalized in Figure 15, including the isomorphisms 
between the previous presentation of pLTL and the alternative 
presentation (the proofs of these isomorphisms total about 200 
lines of Agda). 

Having provided the alternative definitions of pLTL modali- 
ties as functional reactive types, it is routine to translate pLTL 
into * w , in Figure 16. The formula <j> from pLTL(E) is given 
an interpretation ((</>)) (w), where w is a word in It is 
a direct induction to show that w € [</>](n) precisely when 
(((/)}} (w)(n) is inhabited. 

Proposition 2: 



«true»(t 
«false»(t 
<(</>and 
«0or#(t 
«box(0)»(t 
«dia(fl»(t 
((0 since ^>))(i 
^ constrain ^>))(i 
«atom(S)»(t 



)) : pLTL(S) -> E u -> *" 

= <T) 
= <-L> 

= «#(»)a(WM 
= WWvWW 
- □'(MM) 
= 0'(WH) 
= («>»M s'(W)H 
= «#(») >' WH 

= <S)$«; 



(«;€M(n)) = «0))M(n) 



Fig. 16. Translation of pLTL into functional re 



Proof: An induction on 0. ■ 
V. pLTL+FRP bounded satisfiability 

We now give an application of the use of functional reactive 
programs and functional reactive types. We show how FRP 
can be used to encode pLTL formulae as streams of boolean 
expressions, such that the boolean expression is true at time 
k precisely when the functional reactive type is inhabited at 
time k, and hence precisely when the pLTL formula is true at 
time k. This gives a simple algorithm for bounded satisfiability 
of pLTL: to check if a formula <j) is satisfiable at time k, 
encode it as a stream of boolean expressions Es, and then 
check satisfiability of Es(k). 

In the case of pLTL, the use of SAT-solvers to encode 
bounded satisfiability is well-known [3]. What is new here is 
that FRP is being used to encode pLTL. This means that FRP 
expressions can be used in pLTL formulae, and so we have 
a strictly stronger logic in which one can express properties 
such as "the total sum of xs plus ys is always equal to 0," 
which cannot be expressed in pLTL due to the lack of data 
values. By encoding pLTL+FRP as streams of expressions, 
we can check satisfiability of pLTL+FRP formulae, by using 
a Satisfiability Modulo Theory (SMT) checker [5] to find a 
satisfying assignment for Es(k). 

The syntax of the expression language is given in Figure 17. 
For simplicity, we are just considering a theory with natural 
numbers, addition and equality, but this approach should apply 
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Sort : * 






Exp : (Sort ->★)-> Sort -> 






bool • Sort 






nat ' Sort 




true 


Exp(V)(bool) 




false 


Exp(T/)(bool) 




const 


N -> Exp(V)(nat) 




_and_ 


Exp(V)(bool) -> Exp(V)(bool) 


-> Exp(F)(bool) 


_or_ 


Exp(y)(bool) Exp(V)(bool) 


-> Exp(V)(bool) 


impl _ 


Exp(y)(bool) -> Exp(y)(bool) 


-> Exp(V)(bool) 


_add_ 


Exp(V)(nat) -> Exp(V)(nat) 


Exp(V)(nat) 


_eq_ 


Exp(V)(nat) Exp(V)(nat) 


Exp(V)(bool) 


_ ne _ 


Exp(V)(nat) -> Exp(V)(nat) 


Exp(y)(bool) 


var 


V(S) -+ Exp(V)(S) 





Fig. 17. Syntax of expression language 



sU :Sort->* 
sjbool] =B 
s[nat] =N 

wU : (Sort *) * 

= (VS -»■ 45]) 

eU : Exp(y)(S) vfV} -+ sfSj 
elvar(x)j(p) = p(S)(x) 
e[true](p) = true 
e[false](p) = false 
e[const(n)](p) = n 
e[£andF](p) = e[i?](p)&e[ J F](p) 

e{E or F}(p) = elEl(p)\em(j>) 
elE\mp\F}(p) = elE}(p)DelF}(p) 
e\E add F](p) = e\E\{p) + e\F\(p) 

elEeqFl(p)=eiEj(p) = 4F}(p) 
e[£neF](p)=e[£](p)^e[f](p) 

Fiji. IX. Semantics ol expression language 

to any theory with an SMT solver. The type of expressions 
Exp(V)(S) is parametrized by a set of sorted variables V and 
a sort S. For example, if we have: 

x:Var(nat) y : Var(nat) 

then we can construct an expression encoding x + y = 0 as: 

((var(x) add var(y)) eq const(O)) : Exp(Var)(bool) 

The semantics of the expression language is given in Fig- 
ure 18, and is given relative to a sort-respecting assignment 
of values to variables p. For example, if: 

z = p(nat)(x) j/ = p(nat)(y) 

then: 

e[((var(x) add var(y)) eq const(0))](p) = ((x + y) = 0) 



In Figure 19 we lift the syntax of expressions from single 
expressions to streams of expressions. Variables become time- 
stamped variables, for example, writing: 

Exps(V)(S) = Exp(Timestamped(T/))(ST 

we have: 

vars(x) : Exps(Var)(nat) 

Timestamped variables are of the form (x, k) where x is the 
name of the variable, and k is its timestamp: 

vars(x)(k) = var(x,k) 

We can build up streams of arithmetic and boolean expres- 
sions, for example the expression "the total value of xs plus 
ys is 0" can be encoded: 

example : Exps(Var)(bool) 
example = ((vars(x) addsvars(y)) eqs consts(O)) 

and if: 

x = p(nat)(x,fc) y = p(nat)(y,fc) 

then: 

e [example(A ! )](p) = (( a; + »)=0) 

In the same way as pLTL modalities are encoded as functions 
on streams of types, we can encode pLTL modalities as 
functions on streams of boolean expressions. For example, in 
the same ways as we defined: 

□ ee scani(_ x _) 

we define: 

historically = scani(_ and _) 

For example, if: 

a; = p(nat)(x,0) 2/ = p(nat)(y,0) 

then: 

e[historically(example)(0)](p) ee ((x + y) = 0) 

and if: 

x' ee p(nat)(x, k + 1) y 1 ee p(nat)(y, k + 1) 

then: 

eJhistorically(example)(fc + l)](p) 
ee ((a:' + y') = 0) & e[historically(example)(fc)] (p) 
We can now show that satisfaction of a stream of boolean 
expressions interpreting a pLTL formula is the same as inhab- 
itance of the corresponding functional reactive type. First, we 
define satisfaction of an expression by an assignment p at time 
k to be when e[.Es(n)] is true: 

/U:Exp(y)(booir^^]^*" 
/lEsl{p)(k) = elE S {k)l(p) = true 

We can now show that satisfaction of a pLTL formula corre- 
sponds precisely to inhabitance of a functional reactive type. 



Timestamped : (Sort —>★)—> (Sort — > *) 
Timestamped(^)(5') = V(S) x N 

stamped : V(S) -> N -> Timestamped(y)(5') 
stamped(a;)(n) = 

vars : V(5) -> Exp(Timestamped(F))(S')" 
vars(x) = (var o stamped(a;)) $ now 

consts : N -> Exp(Timestamped(V))(nat) w 
consts(n) = (const(n)) 

(_adds_) : Exp(V)(nat) w -> Exp(V)(nat) w -> Exp(F)(nat) w 
(Fs adds Fs) = ((_ add _) $ Fs $ Fa) 

total : Exp(V r )(nat) w -> Exp(V)(nat) u 
total = scani (_ add _) 
(_eqs_) : Exp(V)(nat) w -> Exp(F)(nat) w -> Exp(F)(bool) w 
(Fs eqs Fs) = ((_ eq _) $ Fs $ Fs) 

(_ands_) : Exp(V)(bool)" -> Exp(V)(bool) w -> Exp(y)(bool) w 
(Fs ands Fs) = ((_ and _) $ Fs $ Fs) 

(_ors_) : Exp(I/)(bool) w -> Exp(V)(bool) w -> Exp(y)(bool) w 
(Fs ors Fs) = ((_ or _) $ Fs $ Fs) 

historically : Exp(V)(bool) w -> Exp(F)(bool) w 
historically = scani(_ and _) 

once : Exp(I/)(bool) w -> Exp(V r )(bool) w 
once = scani(_or_) 
(_sinces_) : Exp(V)(bool) w -> Exp(y)(bool) w -> Exp(y)(bool) w 
(Fs sinces Fs) = scan 2 (_ or _ and _) (Es)(Fs) 

(.constrains.) : Exp(V)(bool)" -> Exp(V)(bool) w -> Exp(y)(bool) w 
(_ constrains.) = scan 2 (_and _ impl _) 

Fig. 19. Streams of expressions 



Proposition 3: 

[(/[Fs](p) A /lFs](p))^/[Fs ands Fsj(p)] 
[(/ [Fs] (p) V / [Fs] (p) ) ^ / [Fs ors Fs] (p)] 

[□(/[Fs](p)) «• /[historicall y (Fs)](p)] 
[0(/[Fs](p))^/[once(Fs)](p)] 
[(/[Fs](p) S /[Fs](p)) /[Fs sinces Fs](p)] 
[(/[Fs](p) > /[Fs](p)) ^ /[Fs constrains Fs](p)] 

Proof: For A and V the proofs are direct. For the temporal 
modalities, the proof is by induction on time. ■ 
The interpretation of pLTL as streams of expressions has been 
implemented, and used as a high-level constraint language. 
An example constraint is shown in Figure 20. It makes use 
of the pLTL modalities always and never, and the derived 
"before" modality Fs <C Fs, defined to be n(Es =>■ D-Fs). 

This constraint is interpreted as a stream of boolean ex- 
pressions Fs, and expression Fs(fc) is passed to an SMT 
solver (we used Microsoft's Z3 [4]). In the example, the 
smallest k that was satisfiable was 17, which generated 646 
boolean variables, 544 integer variables, and 1191 constraints. 
Z3 found a solution within 200ms. 



VI. Conclusions 

In this paper, we have shown that functional reactive pro- 
grams in a dependently typed language are expressive enough 
to define their own types. In particular, functional reactive 
types can express past-time LTL, as well as the proof rules 
for constructive S4 modal logic. 

As an example of the power of functional reactive program- 
ming and functional reactive types, we defined a language 
of expression streams, such that fc-bounded inhabitance of a 
constructive pLTL formula corresponds precisely to satisfia- 
bility of the fcth expression. We have used this to define a 
constraint language based on pLTL+FRP, which translates k- 
bounded satisfiability to a constraint solved by an SMT solver. 

Sections II- V of this paper are written in Literate Agda, and 
all results in those sections have been mechanically verified 
by the Agda proof checker. 

As future work, it would be interesting to explore the 
connection between functional reactive types and type systems 
such as session types [10], typestates [6] or stateful types [13], 
which allow the type of a stream xs to depend not just on the 
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xCost = 150*xl + 330*x2 
yCost = 150*yl + 330*y2 
cost = xCost + yCost 
x = xl | x2 | x3 | x4 | 
y = yl I y2 | y3 | y4 | 



40*x4 
40*y4 



40*y5 + 60*y6 + 60*y7 



150*x8 
150*y8 



always (cost <= 330) 



& 


never (x & y) 




















& 


(sum(xl) == 


1) 


& 


(sum(x2) == 1) 


& 


(sur 


a(x3) == 21) 


& 


(sum(x4) 


== 8) 


& 


(sum(x5) == 


16) 


& 


(sum(x6) == 1) 


& 


(sur 


a(x7) == 1) 


& 


(sum (x8) 


== 1) 


& 


(sum(yl) == 


1) 


& 


(sum(y2) == 1) 


& 


(sur 


a(y3) == 21) 


& 


( sum (y4 ) 


== 8) 


& 


(sum(y5) == 


16) 


& 


(sum(y6) == 1) 


& 


(sur 


a(y7) == 1) 


& 


( sum (y8 ) 


== 1) 


& 


(xl « x2) 




& 


(x2 « x3) 


& 


(xl 


<< x4) 








& 


(x3 « x5) 




& 


(x4 « x5) 


& 


(x5 


« x6) 








& 


(x5 « x7) 




& 


(x6 « x8) 


& 


(x7 


« x8) 








& 


(yl « y2) 




& 


(y2 « y3) 


& 


(Yl 


« y4) 








& 


(y3 « y5) 




& 


(y4 « y5) 


& 


(y5 


« y6) 








& 


(y5 « y7) 




& 


(y6 << y8) 


& 


(y7 


« y8) 









) 



Fig. 20. An example constraint expressed in pLTL+FRP 



current time, but also on the values xs(i) for i < j. It is easy 
to define a functional reactive type As(xs) which depends on 
xs, but we cannot type xs as xs : As(xs) as this type is not 
well-formed, since xs mentions itself in its own type. 

In [15], Jeltsch presents a categorical definition of an 
"abstract process category" as a way of capturing models of 
FRP. It would be interesting to know whether the structure 
defined in this paper is an instance of his definition. 

It would also be interesting to investigate further the rela- 
tionship between As t> Bs and resumption models [8], since 
(As\> Bs)(n + 1) is B(n) x (A(n) -> {As > Bs)(n)), which 
is the type of a resumption. Resumptions have been used in 
modeling coinductive streams [9] and iteratees [16], and it 
would be interesting to know how they could be used in a 
setting of functional reactive types. 
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